Tunisia invades, censors Facebook, other accounts

The Tunisian government has been a notorious censor for many
years, for journalists online and off. In the wake of widespread domestic
protests in December, however, the authorities appear to have turned to even more
repressive tactics to silence reporting. In the case of Internet bloggers, this
includes what seems a remarkably invasive and technically sophisticated plan to
steal passwords from the country's own citizens, in order to spy on private communications
and squelch online speech.

Based on reports of users in the country, Tunisian
authorities appear to be modifying web pages on the fly to steal usernames and
passwords for sites such as Facebook, Google and Yahoo. Unknown parties have
subsequently logged onto these sites using these stolen credentials, and used
them to delete Facebook groups, pages, and accounts, including Facebook pages administrated by Sofiene
Chourabi, a reporter with Al-Tariq
al-Jadid, and the account of local online video journalist Haythem El
Mekki. Local bloggers have told CPJ that their accounts and pictures
of recent protests have been deleted or otherwise compromised.

Usually in such hacking attacks, it's hard to pin
responsibility, except circumstantially, on local governments. Those conducting
this particular attack, however, needed an extraordinary amount of privileged
access to Tunisia's network infrastructure. Looking at the clues left by the
attack, I'm among those who think all the evidence points to a state-
controlled operation.

Here's how it worked, as uncovered by the online news site The Tech Herald: When Tunisians visit,
say, Facebook, the page they receive has 10 extra lines of code, as compared to
the normal login page originally sent by Facebook itself.

When Tunisians hit the Facebook "login" button, this extra
code takes their user names and passwords, scrambles them, and then calls for
another Web page, with the scrambled data included in the new Web address it
requests. Tunisians don't see this new page, but their browser still attempts
to load it, sending their private credentials across the Net.

How did these extra 10 lines get there? It's possible that
they could be inserted by local viruses or malware, but widespread accounts
from Tunisians strongly suggest these lines are being dropped into the Facebook
page by the state-run Internet service provider, the Tunisia Internet Agency.

Where is the private username and password being secretly
sent? The extra code within the Facebook page doesn't send the password data to
another rogue Internet server, as you'd expect if this code was inserted by
criminal hackers. Instead, the user's browser attempts to load a non-existent
page on Facebook's own site, called "http://www.facebook.com/wo0dh3ad".

A page access like that would normally only reveal your user name and password to Facebook
itself. Unless that is, the Tunisian Internet Agency is logging all web
addresses visited by its customers, and keeping a record of visits to this particular
address. Such logs are not difficult for an ISP to create or maintain. Indeed,
if you were building a local censorship system, you could easily generate such
a log as a side effect of your filtering systems.

From every piece of evidence CPJ has seen, this looks
nothing like a criminal hacking attack, and everything like a state-run attempt
to gain access to private online accounts. Certainly, it explains the rash of
hacking attacks on activists and reporters in the region.

What can be done? Fortunately, because the fake
"wo0dh3ad" page accessed was on their site, Facebook may well have a
log of everyone whose account was compromised and can take steps to warn and
protect their Tunisian users. As we have previously advised, Internet companies should
deploy encrypted "https" versions of their sites, which prevent
intermediaries from meddling with their data in transit. And Internet
infrastructure providers and foreign governments should publicly demand an
explanation from the Tunisian Internet Agency for their violation of every
principle of Internet management, as well as their own citizen's right to
privacy and a free, uncensored online press.

San Francisco-based CPJ Internet Advocacy Coordinator Danny O’Brien has worked globally as a journalist and activist covering technology and digital rights. Follow him on Twitter @danny_at_cpj.

14 comments

Err... you forgot to write about the browser addon that stops the phishing, in your article. http://userscripts.org/scripts/show/94122

The main reason I didn't is it's really hard to walk non-technical people through installing Greasemonkey on non-Chrome browsers. Perhaps I should have provided a link for those who do understand that; thank you for doing so in the comments.

Secondly, I don't know how long this attack has been in operation, or how quickly the Tunisian authorities will adapt, which makes it hard to confidently quantify in a few words what installing this script will do. How can users be sure it's working? How will they know when it's safe to change their password? The code is being sent over http, so what guarantee can I make that this code itself won't be infiltrated? I just couldn't work out how I could confidently make an assurance that this code would help Tunisians.

My feeling is that the right solution here involves Tunisia being politically pressured to stop this (because we can detect when they stop), and Facebook resetting the passwords of all of those affected when it is safe to do so. That's the sort of work CPJ often does, so I felt it best to concentrate on that strategy here.

That said, other strategies can be effective too. I was pleased to see the script available; and I'll assure people down here in the comments that right now it does what exactly what it says, which is to find and remove the inserted code on the affected sites.

(I should also state for informational purposes that the author of this code is Anonymous. That's to say, the real author has chosen to go under the collective name chosen by wide range of online hacktivists, some of who have been recently involved in targetted denial-of-service attacks on Tunisian government websites.)

The code has an auto-updating mechanism, so if the Tunisian government changes their script, the script will be updated by the author. Feel free to check out the source code. Also, with 1000+ installs, you can't go wrong.

I understand that you may feel that it may be a better solution to politically pressure the government, but this phishing situation is very serious and is happening right now. The entire population is being phished right now as we speak, we can't afford to wait any longer. Please do continue with your efforts to pressure the government, but in the meantime a technical solution (script) is the only way Tunisians can prevent account phishing, without using a VPN or proxy.

A couple of additions to these comments and the article. I've checked the source of the plugin, and the updates are delivered over SSL. If you do want to install it, for safety please use this secure URL: https://userscripts.org/scripts/show/94122 .

Secondly, Slim Amamou, a blogger in Tunisia said that that the "wo0dh3ad" web address, in Tunisia, gets redirected to the country's censorship servers. That would mean that Facebook itself would never see this URL (although they would have other ways to work out who their Tunisian users are, and inform them).

Finally, I hear that Facebook's password change web page is now also being blocked. The last I heard, SSL in Tunisia is being throttled but not entirely blocked, so this direct link may work: https://www.facebook.com/editaccount.php

(Slim Amamou is currently believed to have been detained by the Tunisian authorities -- a colleague's screenshot of his Google Latitude position shows him to be at the Ministry of the Interior: http://yfrog.com/h70928j )

hi Please do anything for tunisian people the police hack anything i have one page fan for sports its ahcking and much other people she is hacked her email facebook anithings after much get hil in preson after see her laptop or mobile of email :( this is not liberty in tunisia

Anonymous2: that may be true (actually, https://login.facebook.com/ could not have been blocked, otherwise the phishing code as it stands would not have worked -- though Facebook's optional SSL version on their main www service may well have been).

But that doesn't change the fact that if you want to prevent intermediaries like the Tunisian government stealing your users' logins and passwords, you need to deploy SSL. Everything else is just a reactive arms race.

Of course there are also problems with SSL -- preventing users from consistently landing on unsecureable http connections (fixed to an extent by HTTP Strict Transport Security), the broken certification authority system, particularly when your man-in-the-middle is actually a large-state-in-the-middle (fixable to an extent by cached comparisons of certificates).

But at least the fixes for SSL are systemic, not piecemeal. It forces all intermediaries to do some serious hard work to intercept communications, instead of being able trivially grab them in this way.

Unfortunately,this dirty,corrupt to the bones and oppressing Tunisian government is unvailing again his ugly face.Instead of solving the country problems:Regional obvious Economic disparities,Liberty of Political Association,Freedom of Press, Expression and Protesting,...(All suppose to be guaranteed even by the tunisian"constitution"),this called Constitution wich was altered by this unpopular regime and oppressive president who brought himself to power,a military coup, only to serve his viscious inner circle of thieves and non scrupulous opportunists from both his family members and this stupid RCD of his dirty party.This "president"has been "elected"by less than 35/cent of his country population,there was never a reel Election since this "men"banned any opponent candidates from entering the elections.And his department of Interior keeps falsifying the ballots,as usually,to show that he is obtaining 98/per cent of the votes?What sort of Naivety and stupidity...Every body knows,he would not get such"claim"even within his own family members.Lately,he's going to pass another amendment to his constitution,wich will allow him to stay president for life.The point is with this"amere"drama the Tunisian
peaceful People is subjected to with bullets and barbaric special police brigades torture,many keep supporting this dictatorship with all the MEANS,including the United States,France,...for who's profit and wich agenda?Since Human Rights and the Well been of People are not anymore in their calendar? TUNISIAN from
the United States ,worrying,griefing.With my heart and soul for my country of birth...Bilaady wa inn jaarat alayaa.Thank's for giving yourself a time to reed my words.

This may sound like a quibble but it is a very important point. There is a false dichotomy in deciding whether this is a "criminal attack" or a "government attack". It is a criminal attack, even if it is conducted by a government.

People seem to presume that everything government does is legal, and moral, when in reality, legality bears no connection to morality.

Virtually every government in the world is a criminal enterprise, not because they violate their own laws, which they do, but because they commit crimes against people. In fact, you can't have a government without violently imposing your will. A monopoly over the use of force in a given region is the definition of government.

So, that the Tunisian government is committing fraud in this manner is no surprise to me.

Examination of the hacking of Tunisian internet users' networks, believed to be the work of their government. Bloggers say their accounts and pictures of protests have been deleted, and in some cases their entire accounts have vanished. "The Tunisian government has been a notorious